Hi,
noticed https://fedoraproject.org/wiki/SecurityBasics which is 2 clicks from the landing page and could use some updates.
Do we have an kind of security announcements list which could be recommended there?
Richard
--- Name and OpenPGP keys available from pgp key servers
On 26/10/14 03:09 PM, Richard Z wrote:
Hi,
noticed https://fedoraproject.org/wiki/SecurityBasics which is 2 clicks from the landing page and could use some updates.
Do we have an kind of security announcements list which could be recommended there?
Nope. This is about as close as it gets:
https://lists.fedoraproject.org/mailman/listinfo/package-announce
We used to (e.g. before I worked at Red Hat) simple filter on subject and body for "CVE" and read all of it.
Richard
Name and OpenPGP keys available from pgp key servers
-- security mailing list security@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/security
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Sun, Oct 26, 2014 at 10:09:06PM +0100, Richard Z wrote:
Do we have an kind of security announcements list which could be recommended there?
What, exactly, would you expect to see on a security announcements list?
- -- Eric
- -------------------------------------------------- Eric "Sparks" Christensen Red Hat, Inc - Product Security
sparks@redhat.com - sparks@fedoraproject.org 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - --------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/27/14 8:33, Eric H. Christensen wrote:
What, exactly, would you expect to see on a security announcements list?
-- Eric
I'd like to see something on par with the standard RHEL errata update emails when the update is related to a security issue. Getting an email with links to the package and links to relevant CVE's (or other trackers) would allow me to rapidly assess the situation and know what priority I should place on an upgrade.
- -- Major Hayden
On 27/10/14 08:53 AM, Major Hayden wrote:
On 10/27/14 8:33, Eric H. Christensen wrote:
What, exactly, would you expect to see on a security announcements list?
-- Eric
I'd like to see something on par with the standard RHEL errata update emails when the update is related to a security issue. Getting an email with links to the package and links to relevant CVE's (or other trackers) would allow me to rapidly assess the situation and know what priority I should place on an upgrade.
Probably your best bet then is to join the Fedora project and help generate that data, test that the updates fix the issues, etc.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/27/14 10:12, Kurt Seifried wrote:
Probably your best bet then is to join the Fedora project and help generate that data, test that the updates fix the issues, etc.
I'm there already! Something that might be beneficial is to make an announcement when bodhi gets an package update that is labeled as a security fix. Perhaps that could be done via RSS or email.
Richard -- does that go towards what you're looking for?
- -- Major Hayden
On Mon, Oct 27, 2014 at 10:29:15AM -0500, Major Hayden wrote:
Probably your best bet then is to join the Fedora project and help generate that data, test that the updates fix the issues, etc.
I'm there already! Something that might be beneficial is to make an announcement when bodhi gets an package update that is labeled as a security fix. Perhaps that could be done via RSS or email. Richard -- does that go towards what you're looking for?
We also _really_ need to get people to write better descriptions of updates, especially when security is involved. Possibly we can do something in bodhi2 to encourage that.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Mon, Oct 27, 2014 at 09:53:30AM -0500, Major Hayden wrote:
On 10/27/14 8:33, Eric H. Christensen wrote:
What, exactly, would you expect to see on a security announcements list?
-- Eric
I'd like to see something on par with the standard RHEL errata update emails when the update is related to a security issue. Getting an email with links to the package and links to relevant CVE's (or other trackers) would allow me to rapidly assess the situation and know what priority I should place on an upgrade.
This seems to already be happening[0] on the package-announce list[1]. Security updates are being sent with [SECURITY] so I wonder if this is being done with topics.
[0] https://lists.fedoraproject.org/pipermail/package-announce/2014-October/1396... [1] https://lists.fedoraproject.org/pipermail/package-announce/
- -- Eric
- -------------------------------------------------- Eric "Sparks" Christensen Red Hat, Inc - Product Security
sparks@redhat.com - sparks@fedoraproject.org 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - --------------------------------------------------
On Mon, Oct 27, 2014 at 11:57:16AM -0400, Eric H. Christensen wrote:
This seems to already be happening[0] on the package-announce list[1]. Security updates are being sent with [SECURITY] so I wonder if this is being done with topics.
Oh cool -- it is. There are topics for every fedora release, plus Security and "Newpackages". After subscribing, edit options here: https://admin.fedoraproject.org/mailman/options/package-announce
But we do still need to figure out a way to encourage people to write better descriptions.
On 27/10/14 10:03 AM, Matthew Miller wrote:
On Mon, Oct 27, 2014 at 11:57:16AM -0400, Eric H. Christensen wrote:
This seems to already be happening[0] on the package-announce list[1]. Security updates are being sent with [SECURITY] so I wonder if this is being done with topics.
Oh cool -- it is. There are topics for every fedora release, plus Security and "Newpackages". After subscribing, edit options here: https://admin.fedoraproject.org/mailman/options/package-announce
But we do still need to figure out a way to encourage people to write better descriptions.
That is a tough one to always get right because you need an intersection of package expertise and security expertise. E.g. I can write security descriptions until the cows come home, especially for things I understand, but you stick me in front of a reasonable complex kernel issue I'm gonna poke someone else for help so I don't mess it up.
The flipside of this is there's like a top 10 or 20 vulns that account for the bulk of issues (e.g. buffer overflow, XSS) and are relatively easy to understand, confirm and describe. So if you're not shooting for 100% you can easily get to 80-90%, but then you run the risk of really bad things slipping out unnoticed or unmentioned ("Check for fishy environment" being a classic example, without a CVE I bet this would slip past most people =).
One catch, AFAIK we have no training material for this (and I've never seen anything good publicly available), so if we want people to do the right thing, they'll need to be taught how.
On Mon, Oct 27, 2014 at 12:03:10PM -0400, Matthew Miller wrote:
On Mon, Oct 27, 2014 at 11:57:16AM -0400, Eric H. Christensen wrote:
This seems to already be happening[0] on the package-announce list[1]. Security updates are being sent with [SECURITY] so I wonder if this is being done with topics.
Oh cool -- it is. There are topics for every fedora release, plus Security and "Newpackages". After subscribing, edit options here: https://admin.fedoraproject.org/mailman/options/package-announce
many thanks for this hint and all the other answers, I am slowly proceeding to improve and reorganize the security related pages in the wiki.
Richard
--- Name and OpenPGP keys available from pgp key servers
security@lists.fedoraproject.org